I always thought NAT was some kind of a security feature and I still think it is, because if it didn't existed the internet, respectively the clients behind NATs, would be even more insecure, since for example port 445 would be directly open to everyone scanning clients etc.

But there seem to be some attacks, in which all the attacker needs to know is the WAN IP address.

NAT isn't a security feature as such - it can be used to obscure individual IP addresses, sure, but its real value is in allowing you to buy only one public IP address but let an entire network connect through it.
–
Rory Alsop♦Oct 6 '11 at 13:48

5 Answers
5

Assuming your home router is configured to deny all inbound connections, the easiest attacks to gain remote access to the LAN leverage the LAN itself.

Open WiFi: If the LAN is accessible via unsecured WiFi, and the router has a default password, it's trivial to log into the router and enable some inbound ports. Obviously requires physical proximity.

Or if you have RJ-45s that a (malicious) visitor could use to get on your LAN, you have the same vulnerability.

Or if you let visitors use your computer.

"Drive by pharming" -- trick a user on the LAN into running code (java applet) that logs into the router (again assuming default or easily crackable password) and enables some inbound ports.

If the attacker can MITM your web connection, he could modify pages while you surf to inject the pharming attack listed in #2 to open ports on your router.

For certain vulnerable routers: with access to your LAN -- even if you have a secure admin password configured -- an attacker can use creative hostnames when registering DHCP to poison your DNS cache or possibly inject XSS into the router's admin interface.

Again, for certain vulnerable routers: with access to your LAN an attacker may be able to sniff your authentication session to get the router password.

CSRF attacks: you visit a malicious web page that attempts CSRF to your router's admin area. (For certain vulnerable routers with the default password set, or if you are already authenticated to the router in that browser session.)

CSRF combined with authentication bypass vulnerability. Some routers have bugs in the web admin interface that process unauthenticated requests.

The client (victim) submits the form without knowing. An HTTP connection is created to the (fake) IRC server.

The fake IRC server, run by the attacker, simply listens, unlike me according to former girlfriends.

The form also has a hidden value that sends: "PRIVMSG samy :\1DCC CHAT samy [ip in decimal] [port]\1\n"

Your router, doing you a favor, sees an "IRC connection" (even though your client is speaking in HTTP) and an attempt at a "DCC chat". DCC chats require opening a local port on the client for the remote chatter to connect back to you.

Since the router is blocking all inbound connections, it decides to forward any traffic to the port in the "DCC chat" back to you to allow NAT traversal for the friendly attacker to connect back and "chat" with you. However, the attacker specified the port to be, for example, port 21 (FTP). The router port forwards 21 back to the victim's internal system. The attacker now has a clear route to connect to the victim on port 21 and launch an attack, downloading the victim's highly classified cute kitten pictures.

NAT on home routers typically allow all outbound connections initiated by the user from the LAN. NAT is typically paired with UPnP to allow users/hosts/services to open required ports outbound as required.

Typically, there is no restriction on initiating outbound connections to make the connection as user-friendly as possible.

If you consider the following factors common to home router deployments:

lack of monitoring

poor or default configuration (default passwords)

users (even technical users will click on

poor security of hosts on the LAN (A/V, patching)

An attack which exploits the way NAT works on home routers, rather than a direct attack on NAT itself, is simply a (spear)phishing attack against a user on the LAN.

Example: A packed PDF which the user is likely to click on, and subsequently executes code to call home, will be able to initiate a connection outbound allowing the attacker to utilise the reverse channel to further exploit the LAN host, as required.

Note: This comes from my experience with home routers (Billion, Linksys) running default firmware. If a home user deploys a Cisco 877 or Linksys running custom firmware, additional security controls could be applied.

For example, if you have a server running on port 445 and it is NAT'ed to the Internet, an attacker doesn't really even need to know it is NAT'ed - the NAT'ing will allow them to connect to it on whatever IP and port are displayed to the Internet.

This doesn't even count as an attack on NAT - NAT is irrelevant here.

The piece that will give you security is the access control/firewalling functionality of a router. That is what will stop attackers on the Internet scanning your clients.

EDIT - it has been pointed out that home router NAT'ing does provide one-direction NAT by default, which effectively does give you a deny-all access control rule like a firewall.

Advice:

Use NAT to allow multiple computers to access the Internet, but do not imagine it provides security

For security ensure that your router/firewall denies ALL inbound connections, except those you absolutely need and those connections which are in response to an outbound request

"it has been pointed out that home router NAT'ing does provide one-direction NAT by default, which effectively does give you a deny-all access control rule like a firewall." that was exactly what I meant, I was indeed wondering how you could break through a home router's NAT. of course I was presuming that port forwarding was disabled and all the attacker sees is the WAN IP no open ports. How can he attack such a system? How does he get to the inside LAN?
–
IanOct 6 '11 at 21:13

Any feature which provides accidential security, provides only transient security, because it is not part of a security plan. If you dont plan to operate and maintain security mechanisms then you can not know if they will work at a given point in time. i.e. If you didn't test it, then it doesn't work.
–
this.joshOct 7 '11 at 7:49

1

Rory, sorry but don't feel your answer in its current form addresses the question.
–
lewOct 12 '11 at 23:03

NAT is used for topology hiding. We don't want everyone seeing our WAN and LAN schema along with port numbers so we hide it. PAT port address translation is where we use a single public IP and are able to overload it with our LAN IP's. It does this by ports. This is how it knows what program, web page etc can get back to your specific IP address.